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Abstract. Extended private information retrieval (EPIR) was defined by [6] at CANS '07 
and generalized by [5] at AFRJCACRYPT09. In the generalized setting, EPIR allows a 
C/2 ■ user to evaluate a function on a database block such that the database can learn neither 
, ^ which function has been evaluated nor on which block the function has been evaluated 
and the user learns no more information on the database blocks except for the expected 
I ■ result. An EPIR protocol for evaluating polynomials over a finite field L was proposed by 
^ | Bringer and Chabanne in [5]. We show that the protocol does not satisfy the correctness 
. requirement as they have claimed. In particular, we show that it does not give the user 
ov the expected result with large probability if one of the coefficients of the polynomial to be 
. evaluated is primitive in L and the others belong to the prime subfield of L. 
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5_i 1 1 Introduction 



Extended private information retrieval (EPIR) was motivated by privacy-preserving 
biometric authentication and formally denned in [6]. It enables a user to privately 
evaluate a fixed and public function with two inputs, one chosen block from a 
database and one additional string. Two EPIR protocols were proposed in [6]. 
One is for testing equality and the other is for computing weighted Hamming dis- 
tance. As a cryptographic primitive, EPIR has been generalized by [5] in order 
to attain more flexibility. In the generalized setting, the function to be evaluated 
is neither fixed nor public. Instead, it is chosen from a set of public functions by 
the user. A new EPIR protocol in the generalized setting was proposed in [5]. As 
noted in [6], EPIR is indeed a combination of private informatrion retrieval [12] 
and general secure two-party computation [18]. 

Related Work. Private information retrieval (PIR) was introduced by [12]. It 
allows a user to retrieve a data item from a database such that the database can- 
not learn which item the user is interested in. The requirement on the privacy of 
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the identity of the retrieved data item is called user privacy. The main measure 
of the efficiency of a PIR protocol is its communication complexity, i.e., the total 
number of bits exchanged by the user and the database for retrieving a single bit. 
PIR protocols have been constructed in both the information-theoretic setting [1- 
3, 10, 12, 13,21,29,31] and the computational setting [7,9, 11, 16,20,23,24,26,30]. 
In an information-theoretic PIR protocol, the database learns absolutely no infor- 
mation on which item the user is interested in even if it has unlimited computing 
power. On the other hand, in a computational PIR (CPIR) protocol, the identity 
of the retrieved data item is not revealed only if the database is polynomial-time 
and cannot efficiently solve certain number-theoretic problems, i.e., certain crypto- 
graphic assumptions hold. For example, the PIR protocol of [1 1] is a two-database 
CPIR protocol in which each database cannot figure out which item the user is in- 
terested in under the assumption that one way functions exist. EPIR protocols 
of [5, 6] are mostly close to the single -database CPIR protocols. The first single- 
database CPIR protocol was proposed by [23]. It achieves the user privacy under 
the assumption that deciding quadratic residuosity is hard and has communica- 
tion complexity 0(N C ) for any small constant c > 0, where TV is the size of 
the database. Subsequently, [7] constructed a single-database CPIR protocol of 
communication complexity O (log 8 (N)) under the <I>-hiding assumption. So far, 
the most efficient single-database CPIR protocol was obtained by [16] under the 
assumption that the decision subgroup problem is hard. It requires the user to ex- 
change 0(k + d) bits with the database for retrieving d bits, where k > logiV is 
the security parameter. Other constructions of single-database CPIR protocols can 
be found in [9,20,24,30]. 

PIR does not provide any privacy for the database. Typically, the user may 
obtain a large number of data items in an execution of a PIR protocol. In order to 
prevent the user from obtaining more than one data item in any execution of a PIR 
protocol, [17] introduced the notion of data privacy and proposed transformations 
from information-theoretic PIR protocols to the so-called symmetrically private 
information retrieval (SPIR) protocols which meet the data privacy. The SPIR 
protocols of [17] are in the information-theoretic setting. SPIR can be defined 
in the computational setting as well. Following the security definition of general 
secure two-party and multi-party computation [18], in the computational setting, a 
PIR protocol is said to achieve data privacy if, for any query, the user cannot tell 
whether it is interacting with a real-database which has N data items or a simulator 
which only knows the retrieved data item. Interestingly, single-database SPIR 
protocols in the computational setting are essentially communication-efficient 1- 
out-of-7V Oblivious transfer (OT) [4, 14, 19, 22, 28] protocols. Oblivious transfer 
[28] is a fundamental cryptographic primitive, on which any secure two-party and 
multi -party computation can be built [22] in an unconditionally secure way. A 1- 
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out-of- N OT allows a receiver Bob to choose one of the N secrets held by a sender 
Alice such that Alice learns no information on Bob's choice and Bob cannot learn 
more except the secret he chooses. [27] proposed transformations from any PIR 
protocols to SPIR protocols in the computational setting. Their transformation 
requires only one execution of a given PIR protocol and log N executions of a 1- 
out-of-2 OT protocol. The notion of EPIR [5, 6] is essentially a generalization of 
SPIR in the computational setting. 

EPIR is also related to selective private function evaluation [8], oblivious poly- 
nomial evaluation [27] and private keyword search [15]. A selective private func- 
tion evaluation protocol [8] allows a client to privately evaluate a public function 
on the inputs held by one or more servers. Comparing with EPIR, the client only 
decides on which inputs the public function will be evaluated. An oblivious poly- 
nomial evaluation protocol [27] allows a receiver to privately evaluate a polyno- 
mial function on his input, where the polynomial is held by a sender. Comparing 
with EPIR, the function to be evaluated is not known to the receiver and the input 
on which the function is evaluated is not known to the sender. A private keyword 
search protocol [15] allows a client to privately search a database with a keyword 
such that he learns the associated record if the keyword is contained in the database 
and learns nothing otherwise. In a sense, EPIR can also be seen as a generalization 
of the above problems. 

Results. The protocol described in Section 4.3 of [5] will be our main topic in 
this paper and termed as Bringer-Chabanne EPIR protocol from now on. It was 
claimed [5] that the protocol enables a user to privately evaluate any polynomial 
F(t) £ L[t] on a chosen database block B4, where L = GF(p n ) is the field 
extension of degree n of the prime field K = GF(p). We study the correctness 
of the Bringer-Chabanne EPIR protocol and show that it may fail frequently. In 
particular, we show that, by executing the protocol, the user with input (F(t),i) 6 
L[t] x [N] does not learn the expected result (i.e., F(Ri)) with a large probability 
if F(t) e V, where V = {/(*) = £fc=o fat k : 3 < I < d such that e 
L is of order p n — 1 and fa e K for every k ^ I}. 

Methodology. Our argument is by contradiction. To simplify the argument, we 
first give a restricted version of the Bringer-Chabanne EPIR protocol. In the re- 
stricted version, the database is deterministic and only has one block, i.e., N = 1. 
We note that if the Bringer-Chabanne EPIR protocol satisfies the correctness re- 
quirement, then so does the restricted version. We then show that the restricted 
version does not satisfy the correctness requirement if the polynomial to be eval- 
uated is in V. This result allows us to conclude that the Bringer-Chabanne EPIR 
protocol does not satisfy the correctness requirement as [5] has claimed. 

Organization. The remainder of this paper is organized as follows. In Section 
2, we recall the definition and security model of EPIR [5]. In Section 3, we recall 
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the Bringer-Chabanne EPIR protocol. In Section 4, we give a restricted version 
of the Bringer-Chabanne EPIR protocol and show that the restricted version fails 
frequently if the polynomial to be evaluated is in V. At last, in Section 5, we 
conclude the paper. 

2 Preliminaries 

2.1 Definition 

Following the definition of [5], a single-database EPIR protocol is a protocol be- 
tween a database VB who has N blocks {R\ , . . . , Rn) £ ({0, l}' 1 ) N and a user 
U who wants to evaluate F(Ri) for a function F £ T and an index i £ [N], where 
J 7 is a set of functions from {0, l}' 1 to {0, 1}* and public. Such a protocol allows 
U to learn F{Ri) but no more information on the database blocks while VB learns 
no information on (F, i). 

The above definition of EPIR is a generalization of [6] and provides the user 
with more flexibility of choosing the function F from a large set T. In the context 
of this definition, the EPIR for testing equality [6] has T = {IsEqual(-, X) : 
X £ {0,1 1' 1 }, where IsEqual(i?;, X) = 1 if i?; = X and otherwise. The 
EPIR for computing weighted Hamming distance [6] has T = {d w (-,X) : X £ 
{0,l} h ,w £ N' 1 }, where d w (R u X) = Y!j=i w i ■ i^P © xU) ) ( For ever y 
j £ [h], R ( P and X® are the j-th bits of Ri and X, respectively). 

2.2 Security Model 

As in [5,6], we denote by retrieve(i ? , i) the query made by a user with in- 
put (F,i) £ J 7 x [N\. Without further notice, algorithms are assumed to be 
polynomial-time. If an algorithm A runs in k stages, then we shall write A = 
(Ai , Az, ■ ■ ■ , Ak). The security is evaluated by an experiment between an attacker 
and a challenger, where the challenger simulates the protocol executions and an- 
swers the attacker's oracle queries. For A a probabilistic algorithm, we denote 
by A(0, retrieve) the action to run A with access to any polynomial number 
of retrieve queries generated or answered (depending on the position of the at- 
tacker) by the oracle O. A function r : Z — > R is said to be negilible if for any 
polynomial P, there is an integer Np such that r(n) < 1 /P(n) for every n > Np. 
If r(n) is negilible, then 1 — r(n) is said to be overwhelming. 
Correctness. An EPIR protocol is said to be correct if any query retrieve^, i) 
returns the correct value of F(Ri) with an overwhelming probability when U and 
VB follow the protocol specification. 

User Privacy. Informally, an EPIR protocol is said to respect user privacy if for 
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any query retrieve(F, i), VB learns no information on (F, i). Formally, an EPIR 
protocol is said to respect user privacy if any attacker A = (Ai , A2 , A3 , A4), act- 
ing as a malicious database, has only a negligible advantage Pr[£/ = b] — ^| in the 

following experiment: 
Exp user-privacy 

(R h ...,R N ) <- Ml 1 ) 

1 < io,ii < N',Fo,F\ 6 J <— Ai (Challenger; retrieve) 

b <- {0,1} 

<— A3(Challenger;retrieve(Fb,ib)) 

b' <— Aa (Challenger; retrieve) 

Database Privacy. Informally, an EPIR protocol is said to respect database pri- 
vacy if a malicious user U cannot learn more information than F'(i?,/) for some 
(F 1 , £') 6 T x [JV] via a query retrieve. This intuitive description can be formal- 
ized via simulation principle by saying that the user hi cannot determine whether 
he is interacting with a simulator which takes only (i 1 , F'(R i ')) as input, or with 
VB. We denote by So the database VB. Formally, an EPIR protocol is said to re- 
spect database privacy if there is a simulator S\ , which receives an auxiliary input 
(i 1 , F'(Ri')) from a hypothetical oracle O for every query retrieve, such that any 
attacker A = (A\ , A2), acting as a malicious user, has only a negligible advantage 
I Pr[6' = 6] — ^| in the following experiment: 

■p^pdatabase-privacy 

b <- {0,1} 

(r u ...,r n ) <- Mi 1 ) 

b' ^— A2 (Sb~, retrieve) 

Remark: The hypothetical oracle O is assumed to have unlimited computing re- 
sources, and S\ always learns exactly the input related to the request made by the 
attacker. 



3 Bringer-Chabanne EPIR Protocol 

The EPIR protocols for testing equality and computing weighted Hamming dis- 
tance of [6] are based on a pre-processing technique. Specifically, the user sends 
an encryption of its input (F, i) to VB, who then computes a temporary database 
which contains an encryption of F(Ri). Finally, the user executes a single-database 
CPIR protocol with VB to retrieve the encryption of F(Rj). This technique does 
not allow the evaluation of generic functions and incurs heavy computation during 
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the computation of the temporary database. The Bringer-Chabanne EPIR protocol 
aims to avoid these deficiencies. It is based on ElGamal encryption schemes over 
the multiplicative groups of finite fields. 

3.1 ElGamal Encryption Scheme 

Let p be a prime and K = GF(p) be the finite field of order p. Let L = GF(p n ) 
be the finite field of order p n and G = L x be its multiplicative group of order 
q = p n — 1 for an integer n > 2. Let g be a generator of G. The ElGamal 
encryption scheme over G is a triplet of algorithms II = (Gen, Enc, Dec), where 

(i) Gen is a key generation algorithm which takes as input a security parameter 
\ k and proceeds as follows: 

a. generates the parameters p, n, q and g; 

b. picks x <— 7L q and computes y = g x ; 

c. outputs pk = (q, g, y) as the public key and sk = x as the secret key. 

(ii) Enc is an encryption algorithm which takes as input a plaintext m £ G, 
picks r <— Z g and outputs c = (g r , y r m) as the ciphertext. 

(iii) Dec is a decryption algorithm which takes as input a ciphertext c = (ci , c>i) £ 
G 2 and outputs C2 • cj -31 . 

3.2 Requirements on Database Blocks and Functions 

Following the notations in Section 3.1, let a 6 L be a primitive element of the 
field extension L/K. Then there is a polynomial G(t) £ if [i] of degree < n such 
that G{a) = g. Let x £ Z g and F(£) £ fT[t] be the polynomial of degree < n 
such that Y{a) = y = g x ■ 

For the Bringer-Chabanne EPIR protocol to be correct, it is required in [5] that 
for every j £ [N], the database block Rj should belong to B, where 

D = {/3 £ G : F(/3) = G(/3) x and G(/3) ^ 0}. 

The function to be evaluated by U can be any polynomial over L, i.e., T = L[t}. 

3.3 Bringer-Chabanne EPIR Protocol 

Figure 1 is the Bringer-Chabanne EPIR protocol, where most notations are adopted 
from Section 3.1 and Section 3.2. The authors of the protocol expect to embed the 
description of the polynomial F (t) £ L[t] chosen by U into an ElGamal ciphertext 
such that it can be evaluated by VB in an oblivious way. 
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(i) U: Generates an ElGamal key pair (pk, sk), where pk = (q, g,y),y = 
g x , and sk = x is randomly chosen from 7L q . hi also sends pk to let VB 
the possibility to verify the validity of pk as an ElGamal public key. In 
practice, the validity of pk can be certified by a TTP, and the same pk 
can be used by the user for all his queries. 

(ii) U: For any polynomial function F : G¥(p n ) — > GF(p n ) and any index 
I < i < N, computes C\ , . . . , Cv and sends them to VB where 

- d = Enc(F(a) + r) = (G(a) r ^Y(a) n (F(a) + r)) 

- and Cj = Enc(l) = (G(a) p ', Y{ap) for all j ^ i, 

with randomly chosen r 6 GF(p), rj G Z g (l < j < N). Each Cj can 
be written as Cj = (Vj(a), Wj(a)) where Vj and Wj are polynomial 
over GF(p) of degree at most n — 1. 

(iii) After reception of the Cj, checks that they are nontrivial ElGamal 
ciphertexts and computes Cj(Rj) = (Vj(Rj),Wj(Rj)) by replacing 
each occurrence of a (resp. a 1 for all power / < n) with Rj (resp. with 

(iv) £>£?: Performs the product of all the Cj together with a random encryp- 
tion of 1, say Enc(l) = {g r ',y r '), sends Enc(l) x Uf =1 Cj(Rj) = 
(/ nf=t C^)^ , / ( nf=i Y (R 3 P) (F(Ri) + r)) to W. 

(v) W: Outputs Dec(s/c, Enc(l) nj=i Cj(^i)) - r as HQ)- 



Figure 1 . Bringer-Chabanne EPIR protocol 

The correctness of the Bringer-Chabanne EPIR protocol was claimed in [5] as 
follows. 

Claim 3.1. (Section 4.4 of [5]) A query (say retrieve(F,i)) gives the expected 
result (i.e., F(Ri)) as soon as there is no index j for which one of the values 
G(Rj) or Y(Rj) is zero, which may occur only with a negligible probability in 
practice, leading to the correctness of the EPIR protocol. 

4 On the Incorrectness of Bringer-Chabanne EPIR Protocol 

In this section, we show that Bringer-Chabanne EPIR protocol does not satisfy 
the correctness requirement defined in Section 2.2. To simplify the argument, we 
give a restricted version of Bringer-Chabanne EPIR protocol in which VB is de- 
terministic and N = 1 . The restricted version satisfies the correctness requirement 



8 



Yeow Meng Chee, Huaxiong Wang and Liang Feng Zhang 



as long as Bringer-Chabanne EPIR protocol satisfies the correctness requirement. 
Then we turn to study the incorrectness of the restricted version. 



4.1 Restricted Version 

At step (iv) of the Bringer-Chabanne EPIR protocol, VB is randomizing the prod- 
uct Cj(Rj) and sending Enc(l) ■ [J^i c j( R j) t0 tne user - We note that 
the user could have computed the same output if VB merely sends Tlf = \ Cj(Rj). 

Therefore, we can safely modify step (iv) such that VB merely sends Ylf=i Q (Rj) 
to U with no impact on the correctness of the protocol. Let i = N = I. Then we 
have the restricted version (see Figure 2). 



(i) hi: Generates an ElGamal key pair (pk, sk), where pk = (q, g,y),y = 
g x , and sk = x is randomly chosen from 7L q . hi also sends pk to let VB 
the possibility to verify the validity of pk as an ElGamal public key. In 
practice, the validity of pk can be certified by a TTP, and the same pk 
can be used by the user for all his queries. 

(ii) hi: For any polynomial function F : GF(p n ) — > GF(p n ), computes 
C = Enc(F(a) + r) = (G(q) s , Y(a) s (F(a) + r)) and sends it to 
VB where r G GF(p), seZ 9 are randomly chosen. The ciphertext C 
can be written as C = (V(a),W(a)) where V and W are polynomials 
over GF(p) of degree at most n — 1. 

(iii) VB: After reception of C , checks that it is a nontrivial ElGamal ci- 
phertext and computes C(R) = (V(R), W{R)) by replacing each oc- 
currence of a (resp. a 1 for all power I < n) with R (resp. with R l ). 

(iv) VB: Sends C(R) to U. 

(v) U: Outputs Bec(sk, C(R)) - r as F(R). 



Figure 2. A restricted version of Bringer-Chabanne EPIR protocol 
Clearly, if Claim 3.1 holds, then we have: 



Claim 4.1. A query (say retrieve(F, I)) in an execution of the restricted version 
gives U the expected result (i.e., F(R)) for any J?eG satisfying Y(R) = G{R) X 
and G{R) ^ 0. 
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4.2 Counterexample 

We show that Claim 4.1 does not holds by a counterexample. Let p = 2, n = 
3, K = GF(2), L = GF(2 3 ) and G = L x . Let a = g £ G be a generator of G 
with minimal polynomial Min g (t) = t 3 + t + 1 £ K[t]. Figure 3 is an execution 
of the restricted version which does not give U the expected result. 



(i) hi: Picks a private key sk = x = 6 £ Z7, sets y — g + 1 and p/c = 
(7, 5, j/). sfc) is a pair of public and private keys for the ElGamal 
encryption scheme over group G. U sends pk to T>B such that T>B can 
verify the validity of pk as an ElGamal public key. Clearly, g = G(a) 
and y = Y(a) for polynomials G(t) = t,Y(t) = t 2 + 1 £ K[t] of 
degree less than 3. The field elements R £ L which satisfy equality 
Y(R) = G{R) X are g, g 2 and g 2 + g. 

(ii) hi: For a polynomial function = g £ L[t], takes s = 6 £ 
^7,r = 1 £ A' and computes the ciphertext C = Enc(i ? (a) + r) = 
(G(a)*,y( a )*(F(a)+r)) = (g 6 , (g 2 + 1) 6 ( 9 + 1)) = ( g 2 + 1)ff 2 +5) 
and sends it to PS. Clearly, we have that V(t) = t 2 + 1 and 
W(t) = t 2 + t. 

(iii) Sets the database block to be R = g 2 + g £ G. After receiving the 
ciphertext C = (g 2 + l,g 2 +g) from U, VB checks that C is a nontrivial 
ElGamal ciphertext and computes C(R) = (V(R),W(R)) = (R 2 + 
1, R 2 + R) = (g + 1, g 2 ) by replacing each occurrence of a (resp. a' 
for all power I < n) with R (resp. with R l ). 

(iv) 2?i5: Sends C(i?) = {g + l,g 2 ) to W. 

(v) U: Outputs Dec(sk,C(R)) — r = g 2 + g as F(R), which is absurd 
(since F(R) = g). 



Figure 3. An execution of the restricted version 
4.3 Failure Probability 

We have seen that the restricted version may not give U the expected result in 
Section 4.2. However, given the counterexample, we cannot conclude that the 
Bringer-Chabanne EPIR protocol does not satisfy the correctness requirement de- 
fined in Section 2.2. In fact, an EPIR protocol is said to be correct as long as 
it always gives U the expected result for any fixed input (F(t),i) £ L[t] x [n] 
except with a negligible probability. In other words, as a collection of probabilis- 
tic algorithms, an EPIR protocol is allowed to fail with a negligible probability. 
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Therefore, to show that the Bringer-Chabanne EPIR protocol does not satisfy the 
correctness requirement, it is necessary to compute the failure probability of the 
protocol, i.e., the probability that the protocol does not give U the expected result. 

In this section, we study the failure probability of the restricted version. We 
show, through experimental results, that the restricted version does fail with large 
probability for certain choices of F(t) (e.g., F(t) = g). 

From now on, we fix p = 2 to be the characteristic of all related finite fields. 
However, we stress that our methodology is applicable to any characteristic p. 
Following the notations of Section 3.1 and Section 3.2, let K = GF(2) and L = 
GF(2") be the extension of K of degree n for an integer n > 2. Let G = L x be the 
multiplicative group of L of order q = 2 n — 1 and g be a generator of G. W.l.o.g., 
we suppose a = g. Then G(t) = t G K[t] is the polynomial of degree less than 
n such that G(a) = g. For every x G Z g , let Y(t) G K[t] be the polynomial of 
degree less than n such that Y(a) = y = g x . We define 

D(t) = G(t) x + Y(t) = t x + Y(t) e K[t\. 

Then the set of database blocks which satisfy the requirements imposed by Claim 
4.1 (or in Section 3.2) is 

B w = {/3 e G\D(fi) = 0}. 

We say that an execution of the restricted version is parameterized by (n, g,x,F, 
s, r, R) if x G Z q , F(t) G L[t], s G Z 9 , r G K and R G ^>n,g,x are the private key, 
the polynomial to be evaluated, the randomness used at step (ii) of the restricted 
version and the database block held by VB, respectively. Let V(t), W(t) G K[t] 
be the polynomials of degree less than n such that V(g) = g s and W(g) = 
y s {F(g) + r). Then the execution of the restricted version parameterized by 
(n,g,x,F,s,r,R) gives U the expected result if and only if V(R) ^ and 
E(R) = 0, where 

E{t) = W{t) + V{t) x {F{t)+r). (4.1) 

For an execution of the restricted version parameterized by (n, g, x, F, s, r, R), we 
define 

'\ if V{R) ^0 and E(R) = 0, 
otherwise. 



Then the execution fails if and only if Hj- j ^jj = 0. Therefore, the probability 
that an execution of the restricted version fails when x G Z 9 is the private key and 
F(t) G L[t] is the polynomial chosen by U is exactly 

e(n, g, x, F) = Pr [s <- Z q , r <- K, R <- B n>g;X : H ljS)ViJi = 0] . 
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Since s, r and R are uniformly distributed, we have that 

e(n, 9 , X ,F) = f^^g . (4 .2) 

The probability that the restricted version fails when F(t) G is the polynomial 
chosen by U is exactly 

The probabilities rj(n,g,F) for 2 < n < 9 and = </ are quite large and 
enumerated in Table 1. 



n 


Mng(t) 


v(n,g,g) 


n 


Min s (i) 


v(n,g,g) 


2 


t 2 + t + l 


0.61111 


6 


+ i 4 + t 3 + f + 1 


0.87719 


3 


t 3 + t + l 


0.74271 


7 


t 7 + t + l 


0.87895 


4 


t* + t + l 


0.81537 


8 


£ 8 + t 4 + t 3 + t 2 + 1 


0.89809 


5 


t 5 + t 2 + 1 


0.83630 


9 


i 9 + t 4 + 1 


0.90358 



Table 1 . Failure probability 



4.4 Bringer-Chabanne EPIR Protocol Fails Frequently When F(t) — g 

In this section, we show that the restricted version fails with large probability when 
F(t) = g. Specifically, for every integer n > 2, we give lower bound on 77(71, g, g). 

We follow the notations in Section 4.3. For every j £ Z q , the set C = {j ■ 
2 k mod q\k = 0, 1,2, • • • } is called a cyclotomic coset mod g. By default, C is 
represented by the smallest number u 6 C and denoted as 

C„ = {j-2 fc modg|A; = 0,l,2,---}. 

The number it is called the cosef representative of C. Clearly, all distinct cyclo- 
tomic cosets mod q are pairwise disjoint and form a partition of Z g , i.e., 7L q = 
Uug(7 wnere U is the set of coset representatives of all distinct cyclotomic 
cosets mod q. For every positive integer d, we denote by A^(d) the number of 
monic irreducible polynomials of degree d in K[t\. 
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Lemma 4.1. (Lidl and Niederreiter [25]) The following statements hold: 

(i) For every u G U, the cardinality ofC u is a divisor of n. 

(ii) For every positive integer d\n, the number of cyclotomic cosets mod q of 
cardinality d is A^(d). 

(iii) For every integer d > 2, we have that A^(<i) < — 2). 
For every u E U, we denote by 

D u = {g j \j e C u } 

the set of field elements in L which share the same minimal polynomial over K 
with g u . For every x G 7L q , it is clear that there is a subset U x C U of coset 
representatives such that 

B n>giX = |J D„. (4.4) 
Lemma 4.2. For every x G Z g , we /iave f/iaf 1 G L^. 

Proof It follows from the fact that D(t) G if [t] and D(g) = 0. □ 

Due to (4.1), E(t) is determined by the parameters g G G,x G 2i q ,F(t) G 
seZ, and r G A'. Next lemma shows that and D(t) only share a very 
small number of roots in L when F(t) = g. 

Lemma 4.3. Suppose F(t) = g. Then for every x G Z g ,u G U x ,s G Z 9 a«J 
r G A', either V(/3) = Ofor every j3 G D u or £?(t) a? most one root in D„. 

Proof lfV(g u ) = 0, then V{g 2J - u ) = V{g u ) v = Ofor any j G N, i.e., V(/3) = 
for every /3 G D u . Otherwise, we show that E(t) has at most one root in D u . Due 
to (4.1), we have that 

E(t) = W(t) + V(tr(g + r). 

Suppose that E(t) has two different roots in D u , say g u ' v and g u ' 2k , where < 
j < k < n. Then 

W(g u - 2J ) + V(g u - V r(g + r) = = W 2 *) + V^ 2 ")'^ + r). 
It follows that 

(g + r) 2 "" J = (W(g u )/v(g u ) x ) 2n = (9 + rf n ~ k . 

Since r G K , the above equality implies g 2 " J = g 2 ™ k . Since g is primitive, we 
have (2™ — 1)|(2™ _J — 2 n ~ k ). It follows that n\(k—j), which is a contradiction. □ 
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The following lemma gives lower bound on e(n 7 g,x,g) for any private key 

x £ Zg. 

\U X \ 

Lemma 4.4. For every x £ Z g , we have that e(n, g, x, g) > 1 — r. 



froo/ Due to (4.2) and (4.4), we have that 

EE E (1 ~ ~H-x,s,r,g,R) 

. . sez, reif -R.eD n , s . x . 
e(n,q,x,q) = — ■ 

EES E ^ ~ H ^.*.ns,fl) 

s£Z, r€K u€U x R€~D U 



2q 



"n,g,x | 



Let s £ Z g and re^be arbitrary. Due to Lemma 4.3, for every u £ ?7 X , either 
V(/3) = for every /? £ D„, or E(t) has at most one root in D„, It follows that 



^ (1 ttx,s,r,g,n) ^ | C u | 1. 



-RGD„ 

Therefore, 



, . seZ q r€K ueU x \U X 



2q- 



"n,g : x\ \^n,g,x | 



We want to bound e(n, g, x, g) for various settings of n and x. As the first case, 
we suppose that n is a prime and have the following lemma: 

2 

Lemma 4.5. Ifn is prime, then e(n, g,x, g) > 1 /or every x £ Z g 

Proof. Due to Lemma 4.1, |C U | divides n for every x £ Z g and u E U x . Since n 
is prime, we have that |C„| = 1 or n. 

(i) If \U X \ = 1, then ?7 X = {1} due to Lemma 4.2. It is obvious that Ci | = n. 
By Lemma 4.4, we have 
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(ii) If \U X \ > 1 and G U x , then we have that 

\U X \ \U X \ 2 

£{n,g,x,g) > 1 - — 1 = 1 - — — j-j- ■ — > 1 . 

Pn,g,x\ 1 + n(\U x \ - 1) n 

(hi) If \U X \ > 1 and ^ U x , then we have that 

ILU \U X \ 1 2 

e[n,g,x,g) > 1 — t— , =1 — — = 1 >1 . 

|B n , g , x | n-\U x \ n n 



Below we lower bound e(n,g,x,g) for any integer n > 2 and private key 
ieZ ? . For any positive integer d\n, we set 

^x.d = \{u ■ u G U x and C„ is of cardinality d}\. 

Due to Lemma 4.2 and the requirements on database block R (imposed by Claim 
4.1), X x = (\ Xj d) belongs to the following set 

W n = {z = (z d ) d{n : < zi < 1; 1 < z n < N 2 (n); 

0<z d < N 2 {d) for d\n, 1 < d < n}, 

where the coordinates of and z are indexed by positive divisors of n. Due to 
Lemma 4.4, we have that 

\U r I Z^id\n ^x,d 

e(n,g,x,g)>l--^- = l- d]n ' . (4.5) 

Prwsl 2^d\n aA xA 

We turn to upper bound the following function 

z d 



Ed\n dz d 

on Because this is relatively hard, we turn to upper bound the function 

En 
d=l Zd 

Ld=l dz d 

where z — {z\, . . . ,z n ) is taken from the following set 

4> n = {z = (z u .. .,z n ):0<zi<l;l<z n < N 2 {n); 

< z d < N 2 {d) for 1 < d < n}. 
Let w(n) be the maximum value of 4> n (z) on <!>„, i.e., 

w(n) = max{<p n (z) : z G 4> n }. 
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Lemma 4.6. For every x G Z g , we have that e(n, g, x, g) > 1 — w(n). 

Proof. Clearly, w(n) = max{0„(2;) : z G > max{^ n (z) : z G *F n } > 
^n(Ax)- Due to (4.5), we have that e(n, g, x, g) > 1 — ip n (^x) > 1 — for 
every x E Z q . u 

Due to Lemma 4.6, it is sufficient to upper bound uo{ri). 

Lemma 4.7. Suppose that uj(n) = (j> n {£,) for £ = . . . , £ n ) G <5 n . 77iew £i = 
= 1. Furthermore, if n > 3, f/ien f/iere is an integer 1 < h < n such that 
£d = N2(d)for every integer I < d < h and £d = Ofor every integer h < d < n. 

Proof It is trivial to verify that £i = £2 = 1 f° r n = 2. Let n > 3. 

(i) For every (0, z 2 , ■ ■ ■ , z n ), (l,z 2 , ■ ■ ■ , z n ) € ^n> it is easy to see that 

0n(O, Z2, ■ ■ ■ , Zn) — </> n (l, Z 2 , . . . , Z n ) < 0, 
which implies that £1 = 1 . 

(ii) For every (1, z 2 , . . . , z n -\, z n ), (1 1) G <&n (where z n > 1), it 
is easy to see that 

Yn \ 1 ; Z 2 j ■ ■ ■ j Zn— 1 > Z n ) Yn ( ^ , Z 2 , ■ • ■ , Zn— 1 j 1) <o, 

which implies that = 1. 

(iii) Suppose < £/, < N2{h) for some integer 1 < /i < n. Let 

fo— 1 n ft-— 1 n 

d=l d=h+l d=l d=h+l 

Then due to the maximality of oj{n), we have that 

C3 + C4- hC\ - hC 2 



(C 3 + + 1) + C 4 )(C 3 + ftffc + C 4 ) ' 

> ^(6,...,a-i,---,^)-0»(O 

-C 3 - C 4 + /tCi + /tC 2 
(C 3 + ^ - 1) + C 4 )(C 3 + ^ + GO ■ 

The above inequalities imply that C 3 + C4 = hC\ + /1C2. Hence, we have 

£3=1 ^ _ 1 



h 



£2=i& w W 
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(iv) We claim that £ a = N 2 (a) for every 1 < a < h. Otherwise, by (iii), we have 
that = and 

Uj(n) < 0„(£l, . . . ,£ a + 1,... ,$ h - 1,- • • ,Cn), 

which is a contradiction. 

(v) We claim that & = for every h < b < n. Otherwise, by (iii), we have that 
£ b = N 2 {b) and 

uj(n) < 0„(£i,. ..,& + 1,... - 1,.. . ,£„), 

which is a contradiction. 

(vi) Finally, we show that tj(n) = 4> n (l, N 2 (2), . . . , N 2 (h), 0, . . . , 0, 1). Due to 
(iii), (iv) and (v), we have that 

^ = (l,7V 2 (2),...,iV 2 (/ l -l),a,0,...,0,l), 

where < £ h < N 2 (h). Since n (£) = u(n) > ^,(1,^(2), . . . , A^ 2 (^ - 
1), 0,0,..., 0,1), we have 

hCi - C 3 < n - h. 

If /iCi - C3 < n — h, then 

«(n) <<^ n (l,iV 2 (2),...,iV 2 (/ i ),0,...,0,l), 

which is a contradiction. Therefore, /1C1 — C3 = n — /i.Then it is not hard 
to verify that 

w(n) = = iV 2 (2), . . . , 7V 2 (/i),0, ... ,0, 1). 

Therefore, we could have taken £ = (1, JV 2 (2), . . . , N 2 (h),0, . . . , 0, 1). 

n 

Due to Lemma 4.7, for every integer n > 3, there is at least one integer 1 < 
h < n such that 

w(n)=</»„(l,iV 2 (2),...,^ 2 (/i),0,...,0,l). (4.6) 
Note that the integer h may be not unique. For every integer n > 3, we define 

h(n)=min{h:cj(n) = (j> n (l,N 2 (2),...,N 2 (h),0,---Al), 

(4.7) 

where 1 < h < n\ 

to be the smallest integer 1 < h < n such that (4.6) holds. Next lemma shows that 
h{n) is an increasing function of n. 
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Lemma 4.8. We have that h(n + 1) > h(n)for every integer n > 3. 
Proof. Due to the definition of h(-) by (4.7), it is not hard to see that 

n (l, N 2 {2), ...,N 2 (l- 1),JV 2 (0,0, ... ,0, 1) > 
</>„(l,7V 2 (2),...,7V 2 (/-l),0,0,...,0,l) 

for every integer 2 < I < h(n). Equivalently, we have that 

> f-*d=2 2V J-r 

I J2 l -J 2 dN 2 (d)+n+l 

for every integer 2 < I < h(n). Due to (4.8), it is not hard to verify that 



n+1 (l, N 2 (2), ...,N 2 (l- l),N 2 (l),0, . . . , 0, 1) > 
<^ +1 (l,7V 2 (2),...,7V 2 (Z-l),0,0,...,0,l) 



(4.9) 



for every integer 2 < I < h(n). In particular, (4.9) holds for I = h{n). This 
implies that h(n + 1) > h(ri). □ 

On the other hand, co(n) is a decreasing function of n: 

Lemma 4.9. We have that oj(n + 1) < u>(n)for every integer n > 3. 

Proof. By Lemma 4.8, we have that h(n + 1) > h(n). If h(n + 1) = h(n), then 

E^i n 2 +1) N 2 (d) + 2 N 2 (d) + 2 



ui(n + 1) 



Ed= 2 +1) dN 2 (d) +n + 2 Y!^ 2 dN 2 (d) + n + 2 

^ E^- 2 ] N 2 (d) + 2 

< — , , ° — = w(ra). 



If + 1) > h(n), then 



«(») - $2 n m +2 >^^> 



EJS diV 2 (d) + n + 1 " h (n) + 1- h{n+l) 



%+ l) dN 2 {d)+n + 
where the first and third inequalities follow from the definition of h(-) by (4.7). 



> uTu =w(n + l), 

E k d { : 2 ) dN 2 (d)+n + 2 
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n 


h(n) 


uj(n) 


n 


h(n) 


V / 


n 


h(n) 


uj(n) 


2 


I 


ftftftftl 


12 


4 




?96 


10 


09996 


3 


1 


50000 


20 


5 


0.19718 


522 


ii 


09089 


4 


2 


0.42857 


34 


6 


0.16547 


934 


12 


0.08332 


5 


2 


0.37500 


57 


7 


0.14236 


1681 


13 


0.07692 


6 


2 


0.33333 


98 


8 


0.12478 


3058 


14 


0.07143 


7 


3 


0.31250 


169 


9 


0.11101 


5596 


15 


0.06667 



Table 2. The values of h(n) and u>(n) 



We enumerate the values of h(n) and w(n) for some integers n in Table 2. 
Lemma 4.10. For every integer n > 7, we have that ui{n) > — — — . 

Proof. Due to Table 2 and Lemma 4.8, we have that h(n) > 3 for every integer 
n > 7. It follows that w(n) > n (l, 1, 2, 0, . . . , 0, 1) = 5/(n + 9). □ 

At last, we have the following theorem. 
Theorem 4.11. We have that 



1 — oj(n) if 2 < n < 6 or n > 7 is composite; 
1 — - if n > 7 is prime. 



Proof. Table 2 shows that w(n) < 2/n for every integer 2 < n < 6. Due 
to Lemma 4.5 and Lemma 4.6, we have that e(n,g,x,g) > max{l — 2/n, 1 — 
Lj(n)} = 1 — oj(n) for n = 2, 3, 5, and e(n,g, x, g) > 1 — w(n) for n = 4, 6. Due 
to (4.3), we have that 

v(n,g,g) = - ^2 e ( n >9,x,g) > 1 -w(n). 

Due to Lemma 4.5, Lemma 4.6 and Lemma 4.10, we have that e(n, g, x, g) > 
max{l —2/n, 1 —uj(n)} = 1 —2/n if n > 7 is prime and e(n, 5, a;, (?) > 1 — o;(n) 
if n > 7 is composite. Due to (4.3), we have that n(n, g,g) > 1 — 2/n if n > 7 is 
prime and ry(n, g,g) >l — uj(n) if n > 7 is composite. n 
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By Theorem 4.11, Lemma 4.9 and Table 2, we see that r)(n,g,g) is always 
non-negligible. Hence, we have the following theorem. 

Theorem 4.12. The restricted version does not satisfy the correctness requirement 
ifF(t) = g. 

4.5 Extension to A Set of Polynomials 

In this section, we extend Theorem 4.12 to a set of polynomials F(t) £ L[t}. 
In particular, we follow the notations in Section 4.4 and show that the restricted 
version does not satisfy the correctness requirement if Fit) £ V, where 

T 3 = {/(*) = Y,k=o fkt k :30<l<d such that fi £ L is primitive and f k £ 

K for every k ^ I}. 

Note that the polynomial F(t) = g £ L[t] we studied in Section 4.4 is in V and 
satisfies Lemma 4.3, which is critical for obtaining all subsequent lemmas and 
theorems. Next lemma shows that Lemma 4.3 holds for any polynomial F(t) £ V 
as well. 

Lemma 4.13. Let F{t) £ V. Then for every x £ Z g , u £ U x , s £ Z q and r £ K, 
either V(/3) = Ofor every j3 £ D u or E(t) has at most one root in D u . 

Proof If V(g u ) = 0, then V{g u - V ) = V{g u ) v = for every j £ N, i.e., V(f3) = 
for every /3 £ D M . Otherwise, we have V(/3) ^ for every /? £ D u . Suppose 
F(t) = J2k=o F k tk > where Fi £ Lis of order q and F k £ K for every k ^ I. We 
show that E(t) has at most one root in D M , where 

E{t) = W(t) + V{t) x {F(t)+r). 

Suppose E{t) has two different roots in D u , say g u ' 2<1 and g u ' 2b , where < a < 
b < n. Then 

W(g u - 2a ) + V(g u - 2a r(F(g u - 2a )+r)=0 = W(g u - 2b ) + V(g u - 2 y(F^^^ 
It follows that 

(F(g u - 2a )+rr- a = (F(g- 2b ) + rr- b . (4.10) 
Let c £ {a, b}. Then it is not hard to see that 

(-1 d 

(F(g u - 2C ) + rf n ~ c = F k g uk + ^ F k g uk + F 2 ^ g ul + r. 

k=0 k=l+l 

Due to (4.10), we have that F 2n ° = F 2 " b . Since Fi £ L is primitive, we have 
(2 n — 1)| (2 n ~ a — 2 n ~ h ) and therefore n\ (b — a), which is a contradiction. □ 
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Due to Lemma 4.13, we note that all lemmas and theorems subsequent to 
Lemma 4.3 in Section 4.4 can be generalized for any polynomial F(t) £ V. There- 
fore, we have that 

Theorem 4.14. The restricted version does not satisfy the correctness requirement 
ifF(t) £ V. 

4.6 Extension to Any Characteristic p > 2 

We have stressed in Section 4.3 that our methodology is applicable when the char- 
acteristic of all related finite fields is any prime p. For example, it is obvious that 
we have an analog of Lemma 4.6 for any characteristic p > 2. Let uj p (n) be an 
analog of the function oj(n) when the characteristic of all related finite fields is a 
prime p > 2. Then the following theorem holds as well. 

Theorem 4.15. We have that rj(n,g,g) > 1 — co p (n) for every integer n > 2, 
where g £ GF(p n ) is primitive and p is an arbitrary prime number. 

It follows that Theorem 4.14 also holds when the characteristic of all related 
finite fields is any prime p > 2. 

5 Conclusion 

In this paper, we show that the Bringer-Chabanne EPIR protocol does not satisfy 
the correctness requirement. To simplify the argument, we give a restricted ver- 
sion of the Bringer-Chabanne EPIR protocol . If the original protocol satisfies the 
correctness requirement, then so does the restricted version. We show that the re- 
stricted version fails frequently if the polynomial to be evaluated has some special 
property. This allows us to get the expected conclusion, i.e., the Bringer-Chabanne 
EPIR protocol does not satisfy the correctness requirement. 
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